The problem once again is Angular’s poor documentation.
The fact is, Angular will add the X-XSRF-TOKEN header only if the XSRF-TOKEN cookie was generated server-side with the following options:
- Path =
/ - httpOnly =
false(this is very important, and fully undocumented)
Besides, the Angular app and the URL being called must reside on the same server.
Refer this Angular Github issue